GDPR compliancy for EU users / Privacy Shield ruled invalid by EU

rolffokkens
Member

Hi all,
According to:
https://www.wired.co.uk/article/privacy-shield-ruling
and
https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf

The privacy shield is no longer valid, meaning that we can no longer store EU citizens data in the US. We're looking for a proper legal base to continue using Hubspot. Any info is appreciated.
Thanks,
Rolf

14 Replies 14
JessicaH
HubSpot Alumni

Hi @rolffokkens,

 

Thanks for reaching out.

I want to tag in some thought leaders to see if they can assist with this.

Hi @Nynke_HM  @mike-ward @rikkilear, would you be able to share your thoughts with @rolffokkensß

 

Thanks!

Jess  


Wusstest du, dass es auch eine DACH-Community gibt?
Nimm an regionalen Unterhaltungen teil, in dem du deine Spracheinstellungen änderst !


Did you know that the Community is available in other languages?
Join regional conversations by changing your language settings !


mike-ward
Key Advisor

Hi @rolffokkens ,

 

Thanks for sharing.

Just to get a quick caveat in: I'm not a lawyer, don't work for HubSpot etc.. etc... 🙂

 

However, as alluded to in that article, I believe HS relies on SCCs rather than the Privacy Shield for this case.

 

The pertinent document seems to be this one, which was just updated a couple of days ago in light of this ruling: https://legal.hubspot.com/dpa

 

Privacy Shield: Although HubSpot, Inc. does not rely on the EU-US Privacy Shield as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for as long as HubSpot, Inc. is self-certified to the Privacy Shield HubSpot Inc will process European Data in compliance with the Privacy Shield Principles and let you know if it is unable to comply with this requirement.

 

There's a lot more in the whole document around the SCCs and data transfer and compliance in general.

 

Hope that helps!

 

Cheers,

Mike

 

---

Did I answer your question? If your question is answered, please mark it as a solution. If you need more help, hit that big orange 'Reply' button!

 

 

Snaedis
HubSpot Product Team

@mike-ward is right, I understand from a memo our data privacy team shared that customers can continue to use HubSpot without disruption because HubSpot's Customer Data Processing Agreement (DPA) includes the Standard Contractual Clauses (SCCs) as the mechanism to transfer data from the EU to the US. You do not need to take any action for the SCC's to apply because they are already incorporated in the DPA as referenced by our Customer Terms of Service (TOS). More details available here.

 

On a related note, I'm interested in hearing more about how HubSpot could better support privacy needs and make things easier for you. Please message me if you're willing to talk about it with me - I have some ideas, and I'd like to hear your thoughts! 

 

- Snaedis 

Snaedis Valsdottir
Associate Product Manager, CMS Publishing
rolffokkens
Member

The privacy shield allowed EU citizen data to be stored in the US, without this (EU nog longer conciders privacy shield valid) EU citizen data must be stored in EU. Partly for this reason all major Cloud providers (AWS, Azure, Gcloud) have datacenters in the EU.

Assuming Hubspot is also using Cloud, I'd suggest to use EU based cloud services for EU customers. Make this known, and certify this. Then our (EU based company) problem is solved I think.

 

From a technical perspecive I have no doubt that NSA will still be able to access data in EU based cloud services for any US based cloud privider (AWS, Azure, Gcloud), but apparently that is not debated in the EU.

PeterF
Participant
The place where the server is located doesn't matter, after the US government issued laws such as cloud act years ago on counter-terrorism, their intelligence services can and may access any server of any US company, no matter where the server is.
0 Upvotes
Mihaela2018
Member

Thank you for confirming that HubSpot's Customer Data Processing Agreement (DPA) includes the Standard Contractual Clauses (SCCs) as the mechanism to transfer data from the EU to the US and that the Hubspot customers don't  need to take any action for the SCC's to apply because they are already incorporated in the DPA as referenced by HS Customer Terms of Service (TOS).

 

My question is: Was this also confirmed by any EU lawyers? It would be very useful for your customers to have this reassurance. Can you tell me whom I should contact to clarify this point?

Thank you!

0 Upvotes
PeterF
Participant
So the judgment of the ECJ is clear: SCC can only be applied if there can be no interference with the data... but after this is not the case with a US company due to Cloud Act and other laws, SCC is also not possible, would be based on an untrue level of data protection. Thus, the data transmission is up-to-date as to a third country and unfortunately our trip with Hubspot ends at this point because we cannot expect and prescribe this to our customers.
Winqvist
Participant

It would be interesting to hear whether there are any plans for a European sandbox environment where no data leaves EU and is only handled by HubSpot staff in the EU.  I do not know if you have  to set up a European company that is not owned by the American company to get away from the US Cloud Act.  With this setup you should be fully compliant.

PeterF
Participant

True! A European Company that is not owned by an American Company could be the only way in the moment.

0 Upvotes
Snaedis
HubSpot Product Team

What an interesting conversation we have going here! 


@Mihaela2018 I don't know which lawyers were involved on HubSpot's side, and definitely recommend you consult with your own legal counsel to make sure your particular setup follows best practices. I don't think any single lawyer, regardless of where they're located, can make a blanket statement that would suit everyone's needs. 

 

It seems like there's some misunderstanding in this thread about the CLOUD Act - read more about that here. Disclaimer: I'm not a lawyer, I've just been reading about this since you all mentioned it 😁  but from what I understand, the CLOUD Act doesn't make it so that the US government can just get whatever data they want. It seems to be more about facilitating data sharing between countries in the pursuit of serious criminal cases. It doesn't even require any company to share data that is requested, it just makes it easier for countries to process the request. Interestingly, it seems that the US receives many more requests for data than it sends out to other countries. Probably because there are so many communications service providers in the US. 

Snaedis Valsdottir
Associate Product Manager, CMS Publishing
0 Upvotes
PeterF
Participant

Max Schrems, who won this judgment, gave very clear and detailed instructions that show what companies in Europe now have to do (including sample questionnaires to US companies based in Europe).

Read more here: https://noyb.eu/en/next-steps-eu-companies-faqs

Snaedis
HubSpot Product Team

That looks like a great resource, thanks for sharing! The FISA factor seems like a key question, and some big providers are listed there as being "under FISA". So I'm curious, are there any go-to hosting providers that are generally seen as go-to sources for companies that need to comply with GDPR? 

Snaedis Valsdottir
Associate Product Manager, CMS Publishing
0 Upvotes
PeterF
Participant

Look - the things are simple. SCC cannot be granted as it is clear that the US government has access to all US company servers through various laws. "Privacy Shield" is history and the SCC are therefore not possible. No US company can sign SCC with a "clear conscience" - because it is clear that what they are signing cannot comply with the law - namely the data sovereignty of users within Europe.

Winqvist
Participant

Thanks for good discussion. Unfortunately, it feels like the future will involve a lot of work with legal discussions and interpretations. If you have to create a European company, you can always apply the IKEA structure where the European companies buy licenses and the right to use HubSpot as a trademark from the American company 🙂